diff options
author | Daniel García <[email protected]> | 2024-07-12 20:05:54 +0200 |
---|---|---|
committer | Daniel García <[email protected]> | 2024-07-12 20:05:54 +0200 |
commit | aaf61dc117d96df153163d390873bbdaec8ec27c (patch) | |
tree | c249f9e1c95e8115e1558044d887a042c773e487 | |
parent | bbbbd2fb482684149b573aa1acbc98f7fb1408b9 (diff) | |
download | vaultwarden-aaf61dc117d96df153163d390873bbdaec8ec27c.tar.gz vaultwarden-aaf61dc117d96df153163d390873bbdaec8ec27c.zip |
Change config compat to use auto, rename blacklist
-rw-r--r-- | .env.template | 6 | ||||
-rw-r--r-- | src/api/icons.rs | 2 | ||||
-rw-r--r-- | src/config.rs | 19 | ||||
-rw-r--r-- | src/error.rs | 2 | ||||
-rw-r--r-- | src/http_client.rs | 31 |
5 files changed, 29 insertions, 31 deletions
diff --git a/.env.template b/.env.template index 8773bdea..c4e391e4 100644 --- a/.env.template +++ b/.env.template @@ -320,15 +320,15 @@ ## The default is 10 seconds, but this could be to low on slower network connections # ICON_DOWNLOAD_TIMEOUT=10 -## HTTP blacklist Regex +## Block HTTP domains/IPs by Regex ## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. ## Useful to hide other servers in the local network. Check the WIKI for more details ## NOTE: Always enclose this regex withing single quotes! -# HTTP_REQUEST_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' +# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' ## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block -# HTTP_REQUEST_BLACKLIST_NON_GLOBAL_IPS=true +# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true ## Client Settings ## Enable experimental feature flags for clients. diff --git a/src/api/icons.rs b/src/api/icons.rs index f8fe059b..83f3e9e9 100644 --- a/src/api/icons.rs +++ b/src/api/icons.rs @@ -181,7 +181,7 @@ async fn get_icon(domain: &str) -> Option<(Vec<u8>, String)> { Some((icon.to_vec(), icon_type.unwrap_or("x-icon").to_string())) } Err(e) => { - // If this error comes from the custom resolver, this means this is a blacklisted domain + // If this error comes from the custom resolver, this means this is a blocked domain // or non global IP, don't save the miss file in this case to avoid leaking it if let Some(error) = CustomHttpClientError::downcast_ref(&e) { warn!("{error}"); diff --git a/src/config.rs b/src/config.rs index 7ce2a255..40071abf 100644 --- a/src/config.rs +++ b/src/config.rs @@ -148,9 +148,8 @@ macro_rules! make_config { // Copy the values from the deprecated flags to the new ones - if config.http_request_blacklist_regex.is_none() { - config.http_request_blacklist_non_global_ips = config.icon_blacklist_non_global_ips; - config.http_request_blacklist_regex = config.icon_blacklist_regex.clone(); + if config.http_request_block_regex.is_none() { + config.http_request_block_regex = config.icon_blacklist_regex.clone(); } config @@ -544,12 +543,12 @@ make_config! { /// [Deprecated] Icon blacklist non global IPs |> Use `http_request_blacklist_non_global_ips` instead icon_blacklist_non_global_ips: bool, false, def, true; - /// HTTP blacklist Regex |> Any domains or IPs that match this regex won't be fetched by the internal HTTP client. + /// Block HTTP domains/IPs by Regex |> Any domains or IPs that match this regex won't be fetched by the internal HTTP client. /// Useful to hide other servers in the local network. Check the WIKI for more details - http_request_blacklist_regex: String, true, option; - /// Blacklist non global IPs |> Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. + http_request_block_regex: String, true, option; + /// Block non global IPs |> Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. /// Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block - http_request_blacklist_non_global_ips: bool, true, def, true; + http_request_block_non_global_ips: bool, true, auto, |c| c.icon_blacklist_non_global_ips; /// Disable Two-Factor remember |> Enabling this would force the users to use a second factor to login every time. /// Note that the checkbox would still be present, but ignored. @@ -912,12 +911,12 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> { err!("To use email 2FA as automatic fallback, email 2fa has to be enabled!"); } - // Check if the icon blacklist regex is valid - if let Some(ref r) = cfg.http_request_blacklist_regex { + // Check if the HTTP request block regex is valid + if let Some(ref r) = cfg.http_request_block_regex { let validate_regex = regex::Regex::new(r); match validate_regex { Ok(_) => (), - Err(e) => err!(format!("`HTTP_REQUEST_BLACKLIST_REGEX` is invalid: {e:#?}")), + Err(e) => err!(format!("`HTTP_REQUEST_BLOCK_REGEX` is invalid: {e:#?}")), } } diff --git a/src/error.rs b/src/error.rs index 51d60982..b2872775 100644 --- a/src/error.rs +++ b/src/error.rs @@ -70,7 +70,7 @@ make_error! { // Used to represent err! calls Simple(String): _no_source, _api_error, - // Used in our custom http client to handle non-global IPs and blacklisted domains + // Used in our custom http client to handle non-global IPs and blocked domains CustomHttpClient(CustomHttpClientError): _has_source, _api_error, // Used for special return values, like 2FA errors diff --git a/src/http_client.rs b/src/http_client.rs index 46f28d77..b4b8012e 100644 --- a/src/http_client.rs +++ b/src/http_client.rs @@ -66,37 +66,36 @@ pub fn should_block_address(domain_or_ip: &str) -> bool { } } - should_block_address_blacklist(domain_or_ip) + should_block_address_regex(domain_or_ip) } fn should_block_ip(ip: IpAddr) -> bool { - if !CONFIG.http_request_blacklist_non_global_ips() { + if !CONFIG.http_request_block_non_global_ips() { return false; } !is_global(ip) } -fn should_block_address_blacklist(domain_or_ip: &str) -> bool { - let Some(config_blacklist) = CONFIG.http_request_blacklist_regex() else { +fn should_block_address_regex(domain_or_ip: &str) -> bool { + let Some(block_regex) = CONFIG.http_request_block_regex() else { return false; }; - // Compiled domain blacklist - static COMPILED_BLACKLIST: Mutex<Option<(String, Regex)>> = Mutex::new(None); - let mut guard = COMPILED_BLACKLIST.lock().unwrap(); + static COMPILED_REGEX: Mutex<Option<(String, Regex)>> = Mutex::new(None); + let mut guard = COMPILED_REGEX.lock().unwrap(); // If the stored regex is up to date, use it if let Some((value, regex)) = &*guard { - if value == &config_blacklist { + if value == &block_regex { return regex.is_match(domain_or_ip); } } // If we don't have a regex stored, or it's not up to date, recreate it - let regex = Regex::new(&config_blacklist).unwrap(); + let regex = Regex::new(&block_regex).unwrap(); let is_match = regex.is_match(domain_or_ip); - *guard = Some((config_blacklist, regex)); + *guard = Some((block_regex, regex)); is_match } @@ -117,8 +116,8 @@ fn should_block_host(host: Host<&str>) -> Result<(), CustomHttpClientError> { } } - if should_block_address_blacklist(&host_str) { - return Err(CustomHttpClientError::Blacklist { + if should_block_address_regex(&host_str) { + return Err(CustomHttpClientError::Blocked { domain: host_str, }); } @@ -128,7 +127,7 @@ fn should_block_host(host: Host<&str>) -> Result<(), CustomHttpClientError> { #[derive(Debug, Clone)] pub enum CustomHttpClientError { - Blacklist { + Blocked { domain: String, }, NonGlobalIp { @@ -154,9 +153,9 @@ impl CustomHttpClientError { impl fmt::Display for CustomHttpClientError { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { match self { - Self::Blacklist { + Self::Blocked { domain, - } => write!(f, "Blacklisted domain: {domain} matched HTTP_REQUEST_BLACKLIST_REGEX"), + } => write!(f, "Blocked domain: {domain} matched HTTP_REQUEST_BLOCK_REGEX"), Self::NonGlobalIp { domain: Some(domain), ip, @@ -216,7 +215,7 @@ impl CustomDnsResolver { fn pre_resolve(name: &str) -> Result<(), CustomHttpClientError> { if should_block_address(name) { - return Err(CustomHttpClientError::Blacklist { + return Err(CustomHttpClientError::Blocked { domain: name.to_string(), }); } |